Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NCUA’s Regulations and Guidance

Banner image saying "Regulation"

NCUA 12 CFR Section 748.0: Security Program

Each federally insured credit union will;

  • Develop a written security program within 90 days of the effective date of insurance.
  • Designed to protect each credit union office from robberies, burglaries, larcenies, and embezzlement;
  • Ensure the security and confidentiality of member records,
  • Protect against the anticipated threats or hazards to the security or integrity of such records, and
  • Protect against unauthorized access to or use of such records that could result in substantial harm or serious inconvenience to a member;
  • Respond to incidents of unauthorized access to or use of member information that could result in substantial harm or serious inconvenience to a member;
  • Assist in the identification of persons who commit or attempt such actions and crimes,
  • Prevent destruction of vital records as defined in 12 CFR Part 749, and
  • Dispose of any consumer information the Federal credit union maintains or otherwise possesses


Letters to Credit Unions

Risk Alerts

Third Parties

Letters to Credit Unions

NCUA 12 CFR Part 748: Oversee Service Provider Arrangements

Credit union officials are responsible for planning, directing, and controlling the credit union’s affairs. To fulfill these duties, the officials should require a due diligence review prior to entering into any arrangement with a third party.   Each credit union should:

  • Exercise appropriate due diligence in selecting its service providers;
  • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and
  • Where indicated by the credit union's risk assessment, monitor its service providers to confirm that they have satisfied their obligations

Business Continuity

Letters to Credit Unions

Risk Alerts

NCUA 12 CFR Part 749 – Records Preservation Program

  • All credit unions must have a written program that includes plans for safeguarding records and reconstructing vital records.

Federal Financial Institutions Examination Council (FFIEC) Guidance

September 2022 Cybersecurity Resource Guide for Financial Institutions

FFIEC IT Examination Handbook InfoBase

The FFIEC Information Technology Examination Handbook is comprised of individual booklets. These booklets represent a series of updates to the existing 1996 FFIEC Information Systems Examination Handbook. They address significant changes in the financial institution technology since 1996.They incorporate changes in technology-related risks and controls and follow a risk-based approach to evaluating risk management practices. The booklets provide valuable information to both examiners and financial institution management.

FFIEC InfoBase Booklets

Business Continuity Management
Development and Acquisition
Information Security
Architecture, Infrastructure, and Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers (TSP)
Wholesale Payment Systems

Reports to Congress

Cybersecurity and Credit Union System Resilience - June 27, 2022

Cybersecurity and Credit Union System Resilience - June 30, 2021

Last modified on